Skip to Content
Main Content

Hiker Looking Out Over Mountains

5 Minute Read | February 5, 2019

The California Consumer Privacy Act

What You Need to Know and How to Prepare

In 2018, massive data breaches affected hundreds of millions of users. Facebook (multiple times), the Marriott hotel chain, Comcast, and even Google Plus failed to protect users. Currently, these businesses face no serious legal repercussions. They saw minimal backlash even when they acknowledge these breaches in public statements.

That will change. In June of 2018, California legislators passed the California Consumer Privacy Act (CCPA). Among other things, it gives California residents the power to deny the sale of their personal information. The CCPA holds companies accountable for mishandling consumer information. It will go into effect on Jan. 1, 2020.

Here’s what you need to know, as an internet business, about CCPA and how to prepare for it.

What is the CCPA?

The three main goals of the California Consumer Privacy Act, also called the California Data Privacy Act, are:

  1. To Maintain Transparency. Users should know what personal information such companies as Google and Facebook collect about them.
  2. To Maintain Control. A user can require a company not to sell personal information without fear of the company retaliating by limiting service or raising cost for that user.
  3. Maintain Accountability. Because of massive data breaches, the CCPA holds businesses accountable for misusing consumers’ personal data or failing to protect it. The Act allows individual legal action against companies for these violations.

Rights Protected by the CCPA

The main clauses of the CCPA emphasize a consumer’s right to opt out of the sale of their information. Users must also have the right to full disclosure. That is, they have the right to know what data a business collects. The CCPA specifies the following consumer rights:

  • The right to know all the data that a business has collected on the user, provided free of charge twice a year at the business’s expense.
  • The right to deny the sale of your information without fear of retaliation or discrimination.
  • The right to delete data you have posted.
  • The right to sue companies who collected your data if that data is breached.
  • The right to know what types of data the company collects prior to collection or at the point of collection. This includes any changes to data collection methods.
  • Mandatory opt-in by a parent on behalf of minors (16 and under ).
  • The right to know the business categories of third parties who purchase user data.
  • The right to know the sources of personal information, such as that found in your Facebook or Google account.
  • The right to know a business’s purpose for collecting your information.

What Personal Data Must be Disclosed?

The CCPA defines “personal data” as the following types of information. Businesses must inform people if they collect:

  • Real name
  • Mailing address
  • Email address
  • IP address
  • Social Security number
  • Race, ethnicity and gender
  • Employment information
  • Consumer history
  • Biometric data
  • Medical data
  • Location data
  • Browsing/search history
  • Audio, video, electronic, or similar data
  • Inferences drawn from any of the above information.
  • Any of these categories related to minor children of the consumer.

How Does CCPA Relate to GDPR?

Similarities between CCPA and GDPR

Some refer to CCPA as “California’s GDPR,” but the rights involved and the extent of coverage differ in some areas and overlap in others.

Both grant users the right to opt out of the collection and sale of data. Both the CCPA and GDPR grant users the right to receive copies of their personal data from an organization. This goes along with the user’s right to know what the company collects and what third-party organizations have access to that data. Like the CCPA, GDPR also grants users the right to delete personal data (the Data Erasure clause). This forces the data collector to erase the user’s personal data, stop collecting it, and halt in-progress third-party processing.

Differences between CCPA and GDPR

  • User Consent: GDPR and CCPA define consent differently. GDPR requires a company to ask for users’ consent before collection of their data. GDPR also requires that companies obtain explicit (active) consent before collecting sensitive data, including that related to race, sex, and medical history and like matters. CCPA does not require businesses to ask for consent before collection. CCPA allows users to opt out of the sale – not the collection – of data. It does require explicit parental consent for sale of data of minors under 16.
  • Affected Organizations: GDPR has wider geographic range. The regulations extend to any company that collects personal data of anyone who lives in the EU, including organizations located outside the EU.
  • Penalties: GDPR handles penalties differently than the CCPA. The maximum penalty for non-compliance with GDPR regulations will cost an organization 4 percent of annual revenue, or €20 million (whichever is greater). The CCPA penalizes organizations on a per-violation basis with no ceiling.

For more information, see our blog on GDPR and its impact on organizations, or visit the official GDPR website.

CCPA Compliance

Who Needs to Comply?

Companies that do business in the state of California must comply with the CCPA. These companies must also meet one of the following thresholds:

  • Earns at least $25 million in annual revenue (adjusted every other year in accordance with the Consumer Price Index).
  • Buys, receives, sells or shares personal information of at least 50,000 customers, households or devices per year.
  • At least 50 percent of its annual revenue comes from selling consumers’ personal information.

Requirements for Compliance

The CCPA requires businesses to allow users to opt out of selling their information. It includes the following compliance requirements for the Opt-Out clause:

  1. Add an obvious “Do Not Sell My Personal Information” link on the site home page. Add a link to the public homepage unless the site redirects California users to a separate homepage that contains this link. The link must take the user to an opt-out page.
  2. Create a page where users can opt out of the sale of their information.Your website must have a page where users can opt out of the sale of personal data. You cannot require them to create an account on your website in order to opt out. After a user has opted out, do not sell their personal data. Save this opt-out preference for a year. You may prompt them to opt out of the sale of data again after one year.
  3. Add a description of a consumer’s rights to opt out of the sale of personal information. Write this description in plain language, not in legal terms. Add a link to the “Do Not Sell My Personal Information” page to the online privacy policy and any California-specific description of privacy rights pages. 

Compliance with the Right to Know and Disclosure clauses requires that businesses do the following:

  1. Give your consumers two ways to submit requests for information. Allow users to request their information via a toll-free telephone number and a website address.
  2. Disclose and deliver the information to the consumers. Provide users with all data you have collected on them. Send this to the user, free of charge, within 45 days of receiving a request. Again, you cannot force users to make an account on the site to submit requests for data. The same restriction applies when users choose to opt out of selling their data.

Penalties for Non-Compliance

Penalties for non-compliance add up quickly. Anyone who violates the CCPA – intentionally or unintentionally – may face a civil penalty for each offense. A business may pay penalties up to $7,500 for each violation in the case of a breach. 

For more information on the California Consumer Privacy Act, visit the website.



Northwoods and CookiePro by One Trust can help you streamline cookie consent to meet both current and future privacy laws. Reach out to us to get started!

Authored By

Amanda Aalpoel

Amanda Aalpoel

Senior Web Developer

hand-drawn owl

Get Expert Tips

3616012/Blog/The-California-Consumer-Privacy-Act-What-To-Know-and-How-to-PrepareWhat You Need to Know and How to Prepare5
<p>In 2018, massive data breaches affected hundreds of millions of users. Facebook (multiple times), the Marriott hotel chain, <a href="https://clark.com/consumer-issues-id-theft/report-comcast-xfinity-security-flaw-exposed-personal-data-of-26-million-customers/" linktype="3" target="_blank">Comcast</a>, and even <a href="https://www.pcworld.com/article/3326821/data-center-cloud/google-plus-data-breach-delete-profile.html" linktype="3" target="_blank">Google Plus</a> failed to protect users. Currently, these businesses face no serious legal repercussions. They saw minimal backlash even when they acknowledge these breaches in public statements.</p> <p>That will change. In June of 2018, California legislators passed the California Consumer Privacy Act (CCPA). Among other things, it gives California residents the power to deny the sale of their personal information. The CCPA holds companies accountable for mishandling consumer information. It will go into effect on Jan. 1, 2020.</p> <p>Here&rsquo;s what you need to know, as an internet business, about CCPA and how to prepare for it.</p> <h2>What is the CCPA?</h2> <p>The three main goals of the California Consumer Privacy Act, also called the California Data Privacy Act, are:</p> <ol> <li><strong>To Maintain Transparency.</strong> Users should know what personal information such companies as Google and Facebook collect about them.</li> <li><strong>To Maintain Control. </strong>A user can require a company not to sell personal information without fear of the company retaliating by limiting service or raising cost for that user.</li> <li><strong>Maintain Accountability. </strong>Because of massive data breaches, the CCPA holds businesses accountable for misusing consumers&rsquo; personal data or failing to protect it. The Act allows individual legal action against companies for these violations.</li> </ol> <h3>Rights Protected by the CCPA</h3> <p>The main clauses of the CCPA emphasize a consumer&rsquo;s right to opt out of the sale of their information. Users must also have the right to full disclosure. That is, they have the right to know what data a business collects. The CCPA specifies the following consumer rights:</p> <ul> <li>The right to know all the data that a business has collected on the user, provided free of charge twice a year at the business&rsquo;s expense.</li> <li>The right to deny the sale of your information without fear of retaliation or discrimination.</li> <li>The right to delete data you have posted.</li> <li>The right to sue companies who collected your data if that data is breached.</li> <li>The right to know what types of data the company collects prior to collection or at the point of collection. This includes any changes to data collection methods.</li> <li>Mandatory opt-in by a parent on behalf of minors (16 and under&nbsp;).</li> <li>The right to know the business categories of third parties who purchase user data.</li> <li>The right to know the sources of personal information, such as that found in your Facebook or Google account.</li> <li>The right to know a business&rsquo;s purpose for collecting your information.</li> </ul> <h3>What Personal Data Must be Disclosed?</h3> <p>The CCPA defines &ldquo;personal data&rdquo; as the following types of information. Businesses must inform people if they collect:</p> <ul> <li>Real name</li> <li>Mailing address</li> <li>Email address</li> <li>IP address</li> <li>Social Security number</li> <li>Race, ethnicity and gender</li> <li>Employment information</li> <li>Consumer history</li> <li>Biometric data</li> <li>Medical data</li> <li>Location data</li> <li>Browsing/search history</li> <li>Audio, video, electronic, or similar data</li> <li>Inferences drawn from any of the above information.</li> <li>Any of these categories related to minor children of the consumer.</li> </ul> <h3>How Does CCPA Relate to GDPR?</h3> <h4>Similarities between CCPA and GDPR</h4> <p>Some refer to CCPA as <a href="https://www.networkworld.com/article/3286611/data-center/while-no-one-was-looking-california-passed-its-own-gdpr.html" linktype="3" target="_blank">&ldquo;California&rsquo;s GDPR,&rdquo;</a> but the rights involved and the extent of coverage differ in some areas and overlap in others.</p> <p>Both grant users the right to opt out of the collection and sale of data. Both the CCPA and GDPR grant users the right to receive copies of their personal data from an organization. This goes along with the user&rsquo;s right to know what the company collects and what third-party organizations have access to that data. Like the CCPA, GDPR also grants users the right to delete personal data (the Data Erasure clause). This forces the data collector to erase the user&rsquo;s personal data, stop collecting it, and halt in-progress third-party processing.</p> <h4>Differences between CCPA and GDPR</h4> <ul> <li><strong>User Consent:</strong> GDPR and CCPA define consent differently. GDPR requires a company to ask for users&rsquo; consent before collection of their data. GDPR also requires that companies obtain explicit (active) consent before collecting sensitive data, including that related to race, sex, and medical history and like matters. CCPA does not require businesses to ask for consent before collection. CCPA allows users to opt out of the sale &ndash; not the collection &ndash; of data. It does require explicit parental consent for sale of data of minors under 16.</li> <li><strong>Affected Organizations</strong>: GDPR has wider geographic range. The regulations extend to any company that collects personal data of anyone who lives in the EU, including organizations located outside the EU.</li> <li><strong>Penalties:</strong> GDPR handles penalties differently than the CCPA. The maximum penalty for non-compliance with GDPR regulations will cost an organization 4 percent of annual revenue, or &euro;20 million (whichever is greater). The CCPA penalizes organizations on a per-violation basis with no ceiling.</li> </ul> <p>For more information, <a href="/Blog/A-Quick-Look-at-GDPR-and-How-it-Will-Impact-Your-Organization" linktype="8" target="_self">see our blog on GDPR</a> and its impact on organizations, or <a href="https://eugdpr.org/" linktype="3" target="_blank">visit the official GDPR website</a>.</p> <h2>CCPA Compliance</h2> <h3>Who Needs to Comply?</h3> <p>Companies that do business in the state of California must comply with the CCPA. These companies must also meet one of the following thresholds:</p> <ul> <li>Earns at least $25 million in annual revenue (adjusted every other year in accordance with the Consumer Price Index).</li> <li>Buys, receives, sells or shares personal information of at least 50,000 customers, households or devices&nbsp;per year.</li> <li>At least 50 percent of its annual revenue comes from selling consumers&rsquo; personal information.</li> </ul> <h3>Requirements for Compliance</h3> <p>The CCPA requires businesses to allow users to opt out of selling their information. It includes the following compliance requirements for the <strong>Opt-Out clause:</strong></p> <ol> <li><strong>Add an obvious &ldquo;Do Not Sell My Personal Information&rdquo; link on the site home page</strong>. Add a link to the public homepage unless the site redirects California users to a separate homepage that contains this link. The link must take the user to an opt-out page.</li> <li><strong>Create a page where users can opt out of the sale of their information.</strong>Your website must have a page where users can opt out of the sale of personal data. <strong>You cannot require them to create an account on your website in order to opt out.</strong> After a user has opted out, do not sell their personal data. Save this opt-out preference for a year. You may prompt them to opt out of the sale of data again after one year.</li> <li><strong>Add a description of a consumer&rsquo;s rights to opt out of the sale of personal information</strong>. Write this description in plain language, not in legal terms. Add a link to the &ldquo;Do Not Sell My Personal Information&rdquo; page to the online privacy policy and any California-specific description of privacy rights pages.&nbsp;</li> </ol> <p>Compliance with the<strong> Right to Know</strong> and <strong>Disclosure</strong> clauses requires that businesses do the following:</p> <ol> <li><strong>Give your consumers two ways to submit requests for information.</strong> Allow users to request their information via a toll-free telephone number and a website address.</li> <li><strong>Disclose and deliver the information to the consumers.</strong> Provide users with all data you have collected on them. Send this to the user, free of charge, within 45 days of receiving a request. Again, you cannot force users to make an account on the site to submit requests for data. The same restriction applies when users choose to opt out of selling their data.</li> </ol> <h3>Penalties for Non-Compliance</h3> <p>Penalties for non-compliance add up quickly. Anyone who violates the CCPA &ndash; intentionally or unintentionally &ndash; may face a civil penalty for each offense. A business may pay penalties up to $7,500 for each violation in the case of a breach.&nbsp;</p> <p>For more information on the <a href="https://www.caprivacy.org/" linktype="3" target="_blank">California Consumer Privacy Act, visit the website.</a></p> <hr /> <h5><br /> <strong>Northwoods and CookiePro by One Trust can help you streamline cookie consent to meet both current and future privacy laws. <a href="/Contact-Us" linktype="2" target="_self">Reach out to us</a> to get started!</strong></h5>
/Northwoods-2020/Hero-Images/Hiker-Looking-Out-Over-Mountains.pngHiker Looking Out Over MountainsAmanda Aalpoel/Northwoods-2020/People/Amanda-Aalpoel.jpgWoman in front of a log cabin wall with soft, warm lighting<script charset="utf-8" type="text/javascript" src="//js.hsforms.net/forms/embed/v2.js"></script><script>hbspt.forms.create({ region: "na1", portalId: "23630176", formId: "40c5bbae-05a2-42ea-94dd-1662181fd56e" });</script>The California Consumer Privacy Act2019-02-05T00:00:00/Northwoods-2019/Blogs/CaliforniaPrivacy.jpg?MediumWondering how your business should prepare for the California Consumer Privacy Act? Find out how to ensure you remain in compliance.3618813/People/Amanda-AalpoelAmandaAalpoelSenior Web Developer<p>Amanda is a full stack developer with a talent for improving interface designs, navigating the complexities of custom web app development, and Azure resource administration. She&rsquo;s experienced in SharePoint site intranet customization and business intelligence reporting and is certified as an Azure Developer Associate. Amanda enjoys getting to know clients and their specific needs to produce results that are functional, modern, and sustainable. In her free time, she enjoys video games and hanging out with her dog Leia.</p>Amanda Aalpoel/Northwoods-2020/People/Amanda-Aalpoel.jpgAmanda AalpoelAdd-In Type - NWS Data ModulesCategory - NWS Data ModulesCommittee - NWS Data ModulesDivision - NWS Data ModulesEvent Audience - NWS Data ModulesEvent Service - NWS Data ModulesEvent Type - NWS Data ModulesLocality - NWS Data ModulesModule - NWS Data ModulesPackage Type - NWS Data ModulesPersonID - NWS Data ModulesAmanda AalpoelProductVersion - NWS Data ModulesRecorded Webinar TopicsRegion - NWS Data ModulesSite Display - NWS Data ModulesSkillLevel - NWS Data ModulesTopic - NWS Data ModulesVideoAudience - NWS Data ModulesVideoClassification - NWS Data ModulesVideoStatus - NWS Data ModulesTeamAll StaffDevelopersAdd-In Type - NWS Data ModulesCategory - NWS Data ModulesCommittee - NWS Data ModulesDivision - NWS Data ModulesEvent Audience - NWS Data ModulesEvent Service - NWS Data ModulesEvent Type - NWS Data ModulesLocality - NWS Data ModulesModule - NWS Data ModulesPackage Type - NWS Data ModulesPersonID - NWS Data ModulesAmanda AalpoelProductVersion - NWS Data ModulesRecorded Webinar TopicsRegion - NWS Data ModulesSite Display - NWS Data ModulesNWS DigitalSkillLevel - NWS Data ModulesTopic - NWS Data ModulesData & AnalyticsPrivacyVideoAudience - NWS Data ModulesVideoClassification - NWS Data ModulesVideoStatus - NWS Data Modules02024-02-20T13:19:45.40000